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The Rise of APIS 


REST APIs are everywhere 
e 83% of all web traffic is API traffic 
Web & mobile apps, loT devices 
Popularity of microservice architectures 
* Better resiliency, scalability, reusability 
Public APIs 
e Unlock data for new revenue streams 


Vendor/product APIs 
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API Security Top 10 


Broken Object Level Authorization (BOLA) 
Broken User Authentication 

Excessive Data Exposure 

Lack of Resources & Rate Limiting 

Broken Function Level Authorization 


Mass Assignment 


Security Misconfiguration 


OWASP 


The Open Web Application 
Security Project 


Injection 


Improper Assets Management 


O € ON OU AWD = 


Insufficient Logging & Monitoring 


— 


Swagger / OpenAPI 


foren 


Swagger is a specification to describe an API 
Name changed to OpenAPI starting with version 3 
e OAS = OpenAPI Specification 
About Swagger/OAS files: 
e Either JSON or YAML format 
e Typically available from dev teams 
* Often auto-generated by tools 
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Example: Uber API 


Products 


/products Product Types 


Estimates 


GET 


GET 


User 


GET 


/estimates/price Price Estimates 


/estimates/time Time Estimates 


/me User Profile 


/history User Activity 
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Swagger File 


"/estimates/time": { 


"get": { 
"summary": "Time Estimates", 
"description": "Get trip time estimate", 
"parameters": [ 
{ 
"name": "start latitude", 
"in": "query", 
"required": true, 
"type": "number", 
"format": "double" 
ly 
( 
"name": "start longitude", 
"in": "query", 
"required": true, 
"type": "number", 
"format": "double" 
leg 
{ 
"name": "product id", 
"in": "query", 
"type": "string", 
} 


"/estimates/time": { 
"get": { 
"summary": "Time Estimates", 
"description": "Get trip time estimate", 
"parameters": [ 
{ 
"name": "start latitude", 


UT : "query" F 
"required": true, 


"T type "T E 


"number", 


"format": "double", 


), 
{ 


"name": 


"start longitude", 


"dmt : "query" , 
"required": true, 


"T type "T g 


"number", 


"format": "double", 


), 


( 

"name": "product id", 
Utt = "query" 7 

"type": "string", 
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Swagger Global Security Directives 


"EES": [ 
"http", 
"https" 
], 
Lu 
{ 
"myBasicAuth": 


) 
], 


'securityDefinitions": | 


"myBasicAuth": { 


Ww type Ww o "basic" 

}, 

"myApiKey": { 
uu type Uu : Ww apiKey" ; 
"name": "api key", 
"in": "header" 


}, 
"myOAuth2": { 


"type": "oauth2", 

[I "authorizationUrl": "https://auth.petstore.com/oauth/form", 
UE Fowu: “implik cit, 
"scopes": ( 


"write:pets": 
"read:pets": 


) 


"create or modify pet data", 
"read pet data" 


}, 
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Qualys API Security 


Static Assessment of your Swagger / 
OpenAPI file 


e Geta score and recommended changes 


Conformance Scan 


e Testthe API endpoints for behaviors that 
violate the Swagger file "contract" 


Vulnerability Scan 


e Thisis a current feature of Qualys Web 
Application Scanning (WAS) 
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DEMO: 
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Final Thoughts 


The use of APIs will continue to expand 
Insecure APIs are a growing threat 


API security requires a different approach 
compared to web applications 


Qualys API Security will help developers 
secure APIs from design to development 
to production 
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